Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5260

Provide option to only sign Response when using HTTP-POST binding

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.0.0, 10.0.2, 11.0.0, 11.0.2, 12.0.0
    • Fix Version/s: 10.0.3, 11.0.3, 12.0.1, 13.0.0
    • Component/s: SAML
    • Labels:
    • Support Ticket IDs:

      Description

      For HTTP-POST binding to when sending a response to SP the current behaviour is:

      1) Sign the Response based on the signResponse (SP>Assertion Content >Post Response Signed) flag.
      2) Always sign the Assertion.

      This was based on original ``4.1.4.5 POST-Specific Processing Rules`` in SAML profiles spec saml-profiles-2.0-os.pdf states

      Current https://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf states

      If the HTTP POST binding is used to deliver the <Response>, each assertion MUST be protected by a digital signature. This can be accomplished by signing each individual <Assertion> element or by signing the <Response> element.
      

      Need to update behaviour in IDPSSOUtil.sendResponse() (POST-Binding) to
      1) If signResponse = true sign the response and also sign the assertion only if signAssertion = true.

      2) If signResponse = false the assertion must be signed (SP>Assertion Content > Artifact Response Signed)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jonthomas Jonathan Thomas
                Reporter:
                jonthomas Jonathan Thomas
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: